[Ksplice-cloudlinux6-updates] New updates available via Ksplice (2.6.32-604.16.2.lve1.3.54.el6)

[Jamie Iles]

Synopsis: 2.6.32-604.16.2.lve1.3.54.el6 can now be patched using Ksplice
CVEs: CVE-2011-5321 CVE-2013-2596 CVE-2014-3122 CVE-2014-3184 CVE-2014-3185 CVE-2014-3215 CVE-2014-3611 CVE-2014-3645 CVE-2014-3646 CVE-2014-3673 CVE-2014-3687 CVE-2014-3688 CVE-2014-3690 CVE-2014-3940 CVE-2014-4608 CVE-2014-4652 CVE-2014-4653 CVE-2014-4654 CVE-2014-4655 CVE-2014-4656 CVE-2014-5045 CVE-2014-5471 CVE-2014-5472 CVE-2014-6410 CVE-2014-7822 CVE-2014-7825 CVE-2014-7826 CVE-2014-7841 CVE-2014-8133 CVE-2014-8159 CVE-2014-8160 CVE-2014-8709 CVE-2014-8884 CVE-2014-9419 CVE-2014-9420 CVE-2014-9529 CVE-2014-9584 CVE-2014-9585 CVE-2014-9683 CVE-2015-0239 CVE-2015-0565 CVE-2015-1421 CVE-2015-1593 CVE-2015-2830 CVE-2015-2922 CVE-2015-2925 CVE-2015-3331 CVE-2015-3339 CVE-2015-3636 CVE-2015-5364 CVE-2015-5366

Systems running CloudLinux 6 can now use Ksplice to patch against the
latest CloudLinux 6 kernel update, 2.6.32-604.16.2.lve1.3.54.el6.

INSTALLING THE UPDATES

We recommend that all users of Ksplice Uptrack on CloudLinux 6 install
these updates.

On systems that have "autoinstall = yes" in /etc/uptrack/uptrack.conf,
these updates will be installed automatically and you do not need to
take any action.

Alternatively, you can install these updates by running:

# /usr/sbin/uptrack-upgrade -y


DESCRIPTION

* CVE-2013-2596: Privilege escalation in video frame buffer driver.

Integer overflow in the fb_mmap() function allows local users to create a
read-write memory mapping for the entirety of kernel memory, and
consequently gain privileges, via crafted /dev/graphics/fb0 mmap2 system
calls.


* CVE-2014-3122: Denial-of-service in non-linear memory mappings.

An assertion failure and kernel panic can be triggered when unmapping a
non-linear memory mapping.  This could be exploited by a local,
unprivileged user to crash the system.


* CVE-2014-4608: Integer overflow in LZO when uncompressing blocks larger than 16MB.

Lack of input validation in the LZO library could cause an integer overflow
when uncompressing blocks larger than 16MB, potentially leading to kernel
code execution. A local attacker could use this flaw to elevate privileges.


* CVE-2014-4654, CVE-2014-4655: Missing validity checks in ALSA user controls.

Missing validity checks when replacing user controls could lead to an attempt
to free something that is not a user control or a control that is not owned
by the process. Userspace was also allowed to to bypass user control count
by overflowing it.


* CVE-2014-4653: Use after free in ALSA card controls.

Missing synchronization in ALSA card controls could lead to a control
being freed while being in use.


* CVE-2014-5045: Denial-of-service in virtual filesystem core when trying to unmount a symlink.

Trying to unmount a symlink file on a mounted filesystem would increase the
reference counter for the mount point, preventing any further unmounting. A
local, privileged user could use this flaw to prevent any mount point to be
unmounted.


* CVE-2014-3185: Memory corruption in USB serial WhiteHEAD device driver.

The USB ConnectTech WhiteHEAT serial driver is vulnerable to a memory
corruption flaw. It could occur when reading completion commands via USB
Request Blocks buffers.

A local user with physical access to the system could use this flaw to
corrupt kernel memory area or crash the system kernel resulting in a
denial-of-service.


* CVE-2014-3645 and CVE-2014-3646: KVM guest denial-of-service when using invalid opcodes.

The KVM host emulator does not gracefully handle a KVM guest using the
invept or invvpid opcodes, causing a guest VM exit without proper error
codes being propagated to userspace. A local, unprivileged guest user
could use this flaw to crash a KVM guest VM and cause a denial-of-service.


* CVE-2014-3611: Denial-of-service in KVM emulated programmable interval timer.

Incorrect locking in the KVM emulated programmable interval timer (PIT)
could crash the host kernel under specific conditions. A local attacker
could use this flaw to cause a denial-of-service in the host KVM.


* CVE-2014-7825, CVE-2014-7826: Perf DoS and local privilege escalation.

A missing validation of syscall id range allows an attacker to trigger a
kernel panic, or leverage it into gaining root privileges if root was
doing perf tracing at that time.


* CVE-2014-6410: Denial of service in UDF filesystem parsing.

The kernel UDF filesystem driver does not correctly validate indirect
inodes allowing a malicious user to cause a kernel panic by mounting a
UDF volume with deeply nested indirect inodes.


* CVE-2014-3673: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving malformed ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2014-3687: Remote denial-of-service in SCTP stack.

A flaw in the SCTP stack when receiving duplicate ASCONF chunks leads to a
kernel panic. A remote attacker could use this flaw to cause a
denial-of-service.


* CVE-2014-3688: Remote denial-of-service in SCTP stack by memory exhaustion.

A flaw in the SCTP stack could allow a remote attacker to force a SCTP
server to allocate big amounts of memory and trigger the kernel
out-of-memory killer, leading to a denial-of-service.


* CVE-2014-5471, CVE-2014-5472: Privilege escalation in ISO filesystem implementation.

The parse_rock_ridge_inode_internal() function in the ISO filesystem driver
does not correctly check relocated directories when processing Rock Ridge
child link tags. An attacker with physical access to the system could use a
specially crafted ISO image to cause a denial of service or, potentially,
escalate their privileges.


* Kernel panic when pruning dentry from the cache while unmounting the filesystem.

A race condition in the filesystem dcache implementation could lead to a
kernel panic when pruning dentry from the cache if the filesystem was being
un-mounted.  A privileged user in a container could use this flaw to cause
a denial-of-service.


* Denial-of-service in ext4 filesystem on umount().

An lack of inode removal from the orphan list when deleting an inode could
lead a BUG_ON() assertion to be triggered on umount().  A local, privileged
user could use this flaw to cause a denial-of-service.


* CVE-2014-7841: NULL pointer dereference with SCTP server during ASCONF.

A problem with how the SCTP verifies input can lead to a NULL pointer
dereference and kernel panic.  A malicious user could exploit this using
a specially crafted packet to cause a denial-of-service.


* CVE-2014-4656: Denial-of-service in ALSA Control IDs.

An integer overflow in Advanced Linux Sound Architecture (ALSA) could be
exploited by a local, privileged user to crash the system by adding and
removing controls.


* NULL pointer dereference in bridge driver when setting MAC address.

Lack of checking for NULL when changing the mac address of a bridge device
could lead to a NULL pointer dereference.  A local, privileged user could
use this flaw to cause a denial-of-service.


* Memory leak in proc filesystem when following symlinks.

A missing reference drop on error when following a symlink leads to a
memory leak.  A local, unprivileged user could use this flaw to exhaust the
memory on the system and cause a denial-of-service.


* Memory leak when changing a network device namespace.

A missing reference drop when changing a network device namespace leads to
a memory leak. A local, privileged user could use this flaw to exhaust the
memory on the system and cause a denial-of-service.


* CVE-2014-8160: iptables rules by-pass when the protocol module is not loaded.

A flaw in the generic conntrack sub-system allows protocols that do not
have a protocol handler kernel module loaded to pass through the iptables
firewall even if explicitly denied by rule.


* CVE-2014-7822: Incorrect parameter validation in splice() system call.

An incorrect parameter validation in the splice() system call could allow
a local, unprivileged user to use this flaw to write past the maximum
file size, and thus crash the system.


* CVE-2014-8159: Privilege escalation in Infiniband userspace access.

Missing sanitization of userspace input to the Infiniband userspace
memory access subsystem could allow a local user with access to the
/dev/infiniband/uverbsX device nodes to crash the system or,
potentially, escalate their privileges on the system.


* Hardening of /proc/<pid>/pagemap to mitigate CVE-2015-0565.

The CAP_SYS_ADMIN capability is now required to access /proc/<pid>/pagemap
which exposes sensitive information which can be used for rowhammer-like
attacks (CVE-2015-0565).


* CVE-2014-9529: Use-after-free when garbage collecting keys.

A logic error when garbage collecting cryptographic keys leads to a
user-after-free and kernel panic. A local user could use this flaw to crash
the kernel and cause a denial-of-service.


* CVE-2015-1421: Privilege escalation in SCTP INIT collisions.

Missing reference counting could result in a use-after-free during an
INIT collision when establishing an SCTP socket.  A remote attacker
could use this flaw to trigger a denial-of-service or potentially gain
privileges.


* CVE-2014-9584: Out-of-bounds memory access in ISO filesystem when printing ER records.

A missing input validation when printing ER records on the iso9660 driver
could lead to an out-of-bounds memory write, potentially leading to a
kernel panic.  A local attacker could use a corrupted ISO file to cause a
denial-of-service.


* CVE-2014-8884: Buffer overflow in DEC2000 and DEC3000 USB adapters.

A lack of input validation when copying an ioctl command could lead to
overflowing data on the stack, causing a kernel panic. A local user could
use this flaw to cause a denial-of-service or potentially escalate
privileges.


* Memory corruption in USB EHCI.

Failure to properly set pointers for isochronous URBs can cause URBs to
be improperly reused, leading to list corruption and a system freeze.


* CVE-2014-3690: Denial of Service in KVM/VMX CR4 register management.

KVM on VMX does not reload the CR4 register when it changes on the host,
which means that host features aren't updated on guests. This could lead
to a local denial of service.


* CVE-2014-3215: Privilege escalation in seunshare execution of binaries.

A bug in libcap-ng could allow local, unpriviliged users to potentially
escalate priviliges on a system, exploitable through seunshare and other
tools.


* CVE-2014-9419: Address leak on context switch bypasses ASLR.

A flaw in the context switch code could lead to leaking another thread's
local storage area.  A local, unprivileged user could use this flaw to gain
information about another process address space mappings and bypass address
space layout randomization.


* CVE-2014-9420: Infinite loop in isofs when parsing continuation entries.

A flaw in the iso9660 file system support could lead to an infinite
recursion loop when parsing continuation entries.  An unprivileged user
could use this flaw to crash the system resulting in a denial-of-service.


* CVE-2014-9585: Address space layout randomization bypass for VDSO address.

A flaw in the VDSO code loader leads to a 50% chance of having the VDSO
address placed at the end of a PMD. This could allow an attacker to bypass
ASLR protections more easily.


* CVE-2015-3331: Denial-of-service in Intel AES RFC4106 decryption.

Incorrect mapping of buffers in the Intel AES RFC4106 implementation
could result in a kernel crash.  A local, unprivileged user with access
to AF_ALG(aead) sockets could use this flaw to trigger a
denial-of-service.


* CVE-2015-2925: Privilege escalation in bind mounts inside namespaces.

Incorrect handling of renames inside container bind mounts could allow a
local user to escape a container and escalate privileges under specific
conditions.


* CVE-2015-5364, CVE-2015-5366: Kernel hang on UDP flood with wrong checksums.

A flaw in the UDP handling of wrong checksums could lead to a kernel hang
under a UDP flood attack.  A remote attacker could use this flaw to cause a
denial-of-service.


* Kernel panic in netlink_dump caused by repeated unlock.

Nodes could crash due to a repeated unlock call in the netlink code.


* Memory corruption when allocating a new process ID.

A logic error in the process ID allocation routine could lead to memory
corruptions under certain circumstances.  A local, unprivileged user could
use this flaw to cause a kernel panic or potentially escalate privileges.


* CVE-2011-5321: NULL pointer dereference in TTY subsystem.

Incorrect error handling could result in a NULL pointer dereference when
opening a TTY device.  A local, unprivileged user could use this flaw to
crash the system.


* CVE-2015-1593: Stack layout randomization entropy reduction.

A flaw in the the stack base randomization code could result in a
reduction of entropy by a factor of four.  An attacker could use this
flaw to reduce the amount of work needed to bypass ASLR.


* CVE-2015-2922: Denial-of-service of IPv6 networks when handling router advertisements.

A flaw in the IPv6 stack allowed a remote attacker on the same network to
set the hop limit to a smaller value than the default one, preventing
devices on that network to send or receive.


* CVE-2015-3636: Memory corruption when unhashing IPv4 ping sockets.

The kernel IPv4 subsystem does not correctly handle unhashing a ping
socket which can trigger kernel memory corruption. A local user can use
this flaw to gain elevated privileges.


* CVE-2015-2830: mis-handling of int80 fork from 64bits application.

A flaw in the ret_from_fork assembly stub does not prevent the TS_COMPAT
flag from reaching a user-mode task.  An attacker could potentially use
this flaw to bypass the seccomp or audit protections via a crafted
application.


* CVE-2014-3184: Invalid memory write in HID drivers.

Several HID drivers (Cherry Cymotion keyboard, KYE/Genius devices,
Logitech devices, Monterey Genius KB29E keyboard, Petalynx Maxtor
remote control, and Sunplus wireless desktop) are vulnerable to an
out-of-bounds write due to some off-by-one bugs.  This could occur if
a HID device report offers an invalid report descriptor size.

A local user with physical access to the system could use this flaw to
write past an allocated memory buffer.


* CVE-2014-3940: Memory corruption during huge page migration.

A missing check to verify the page table entry is present when gathering
stats about huge pages could lead to a memory corruption if the huge pages
are being migrated concurrently. A local, unprivileged user could use this
flaw to cause a denial-of-service.


* CVE-2014-4652: Arbitrary memory disclosure in ALSA user controls.

Lack of synchronization between reads and writes to ALSA user controls
could lead to a kernel memory disclosure.


* CVE-2014-8133: Information leak in thread area of 32-bit KVM guests.

The espfix implementation which prevents kernel information leaking to
unprivileged guests can be bypassed by creating a custom thread area. A
local unprivileged user could potentially use this flaw to leak stack
addresses.


* CVE-2014-8709: Information leak in mac80211 when transferring fragmented packet.

A flaw in the mac80211 stack could result in leaking 8 bytes of plain text
in the air. An attacker, physically in the range of the WiFi network, could
use this flaw to obtain sensitive informations.


* CVE-2014-9683: Out-of-bounds memory write in eCryptfs when decoding a file name.

A lack of input validation when decoding a file name in the eCryptfs driver
could lead to an out-of-bounds memory write of one zero byte, potentially
causing a kernel panic.  A local user could use a specially crafted
eCryptfs filesystem to cause a denial-of-service.


* CVE-2015-0239: Privilege escalation in KVM sysenter emulation.

The KVM emulation of the sysenter instruction does not validate 16-bit
code segments which can allow a local attacker to potentially elevate
privileges.


* CVE-2015-3339: Privilege escalation due to race condition between execve and chown.

The execve() syscall can race with inode attribute changes made by chown().
This race condition could result in execve() setting uid/gid to the new
owner, leading to privilege escalation.


* Privilege escalation in mount namespaces.

Incorrect installation of mount namespaces could allow a malicious
privileged user in a container to access the host filesystem.

SUPPORT

Ksplice support is available at ksplice-support_ww at oracle.com.